Document history
| Date | Changes |
| 15. December 2020 | Published |
Important notes & Disclaimer
This guide is provided without any warranty/guarantee (“as is”). Feel free to let us know your feedback! We are happy to apply healthy critique to this guide!
Overview
There are several steps to complete a prysm-only (standalone) Ethereum 2.0 staking setup for Pyrmont testnet. This guide uses ethereum2-docker-compose to orchestrate the services. Some (not all) software used in this particular guide:
- Ubuntu 20.04 LTS
- Ethereum 1:
- Ethereum 2:
- Prysm (including slasher)
- Monitoring:
- Prometheus (metrics collector)
- Grafana (metrics visualizer)
- Prysm Web Interface (validator and beacon node visualizer)
Hardware recommendations
Following hardware specifications are recommended to run the Prysm client on testnet while a mainnet required higher specifications than testnet.
- CPU: 4 vCPUs or higher
- Memory: 8gb or higher
- Storage: 100gb available space SSD for testnet (in this guide Pyrmont)
- Internet: Stable broadband connection
Warnings!
This guide is for the Pyrmont testnet.
Guide’s steps
In unison, we’ll go through the following steps to achieve staking with the prysm client:
- Connect & Prepare the server
- Prepare the validator(s)
- Prepare ethereum2-docker-compose
- Run ethereum2-docker-compose and staking ether
Here’s a checklist to ensure you start with the needed resources and skills, before we move on to step 1
- Basic understanding of Linux or Ubuntu
- Ubuntu 20.04 installed on a machine you have access to
- Basic knowledge of git
Let’s get started!
Step 1 – Prepare Server
1.1 Connect to the Server
Using a SSH client, connect to your ubuntu server. In this guide putty installed on windows OS will be used to connect to ubuntu server. Obviously, you can use another SSH client tool installed on various operating system.
If you don’t already use putty, download it and follow the installation guide. After successfully installation navigate to the directory where you have installed the application and run the .exe file:
Put your server IP-address in Host Name (or IP Address) bar and give your session name in Saved session bar then click Save to save the configuration for next time to connect to your server.
Click Open then put your user name and password in terminal to log in to your server. That’s it, you are in!
Next time you can choose your session from Saved session bar, then click Open to connect to your server.
1.2 Change your authentication method from password to key (optional – SSH only)
Passwords are somewhat easy to guess or bruteforce, ensuring you are using authentication by key when you access your node via SSH is therefore a recommended and easy way to enhance security of your server. However, this is not mandatory if you either don’t expose the SSH port to the internet or don’t use SSH at all (e. g. having physical access only).
Generate SSH authentication keys
Execute puttygen.exe which is already installed previously with putty.
Now let’s generate a key pair by clicking on Generate button and move your mouse on the “PuTTY Key Generator” window until the progress bar is full.
After successful creation of your SSH key, save the public key as well as the private key
Keep the private key safe, don’t expose it to other users or unsafe storage (unencrypted usb stick). Also copy the text in the locked textbox (usually starts with ssh-rsa...) and safe it too. Now you can close the application
Connect to your server with your regular user, edit the file ~/.ssh/authorized_keys by executing nano ~/.ssh/authorized_keys and add the text you copied previously in a new line, looking like this:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxdmaA0w//jS56ZpX+Oxv7pmq58+PrKGYAoKeXm3Z5wdw/MrdFwdNf3rKVyv6GX0RXt2xLhqoPlxrW9YRjwsRIYUTh/XQN7/i/kYewtb/hoJZ2I0U2YbutpqBPdSuMbJZY5lSTx2IH/0AOLG2K4w3W+SYhX4pDuAABzzdBg+W+pmI5nJBdk1YheLKYJVtab1VWK0pX8QfdDDo7qwCoSRlFDOzoNNvvTUVvXmRe+Qy6Sr8WT9LN2d/BDm95DzXzXWzs7SsEKP6MbXCpAp25zBzV3Z+Ltu9uws798IE5/kwQtTTe6geC/g6m15TW8nakgX1Yjff6C1P1P89dTsrfUyhdQ== rsa-key-20201118Exit and save the file <Ctrl+X> and execute following command to make this file only accessible by your user
chmod 600 ~/.ssh/authorized_keys
Use SSH authentication keys
Putty
After that try to connect to your server using putty with key authentication. Use the setting Private key file for authentication and Browse... your previously generated and saved private key file. Don’t forget to enter an IP in the Session and click Open
Putty will ask you for your username – as usual – after you enter your username you should immediately login without the need of entering a password.
SSH command
If you don’t want to use putty but instead the SSH command of Windows 10, create a directory in your home folder with the name .ssh and copy your private key there, don’t forget to rename the private key file to id_rsa. This also works on linux and mac.
Disable password authentication for SSH
We already managed to login via keys. Now we can disable password authentication for SSH. To do this, run the following command to edit the necessary file
sudo nano /etc/ssh/sshd_configThen edit the following lines as below:
- Uncomment (remove the
#in front of the line):PubkeyAuthentication yes - Find the line with “PasswordAuthentication” and change it to:
PasswordAuthentication no
Exit and save the config file <Ctrl+X> and restart SSH by entering:
sudo systemctl restart sshdCheck it out by reconnecting your SSH session!
1.3 Create new user
By default the root user account on Ubuntu server is disabled, however it’s enabled by some cloud providers. It is risky to utilize the root user account to log in to the server. If the root user is utilized to log in then create a new user-level account with admin privileges instead using the root user to log in to your server.
Let’s create a new user-level account on ubuntu server as following
adduser <your-username>
You will be asked to create a password and some other information. At the end of the account creation process write “y” or “Y” to confirm that you filled out correctly.
That’s it! we’ve just created new user on your ubuntu server! Next we going to give the admin rights to the new user.
In order to give grant admin rights to the new user-level account execute following
usermod -aG sudo <your-username>
When you log in as <your-username> you can type sudo before execute the commands to perform actions with superuser privileges
Optional
If you used SSH keys to connect to your ubuntu server via the root user you will need to associate the new user with the root user’s SSH key data executing following command
rsync --archive --chown=<yourusername>:<your-username> ~/.ssh /home/<your-username>
Then log out of root and log in as <your-username>. Now you can proceed further with your new user account. Congratulation!
1.4 Keep your Ubuntu up-to-date!
Most security vulnerabilities get fixed fast by the maintainers, therefore it`s important to keep your Ubuntu server updated by running:
sudo apt update && sudo apt upgrade -y
It’s not recommended to do this automatically because there are updates which need guidance in the update process (e. g. which config file to take, etc.)
However, running an update once a week isn’t much work and keeps your system safe and stable
1.5 Configure the firewall
Commonly used firewall is named “ufw“. It’s used to restrict inbound traffic to the server. Before we enable it, SSH inbound traffic should be allowed
Allow SSH
Allows connection to the server over SSH. We are going to change the default port of 22 for security reasons as following
Choose a port number between 1024–49151 and run the following command to make sure your selection is not already in use on the server. If your chosen port number is in use you will get red text, then choose a different port number
sudo ss -tulpn | grep ':<your-SSH-port-number>'
Update the firewall to allow inbound traffic on <your-SSH-port-number>. SSH requires TCP
sudo ufw allow <your-SSH-port-number>/tcp
Next change the default SSH port
sudo nano /etc/ssh/sshd_config
Find the line with # Port 22 and change it to Port <your-port-number>. Remove the # in front of the line if it was present.
Exit and save the config file <Ctrl+X> and restart SSH by following command
sudo systemctl restart ssh
and check to verify the rules have been correctly configured. In this guide port number 1234 is utilized as SSH port.
sudo ufw status numbered
Then reconnect with your server using <your-port-number> instead SSH default port 22. Select your saved session from previous step and put your chosen SSH port number in <your-port-number>. Using putty should looks like this
1.6 Installing necessary packages
System packages
Start by installing the necessary packages with apt
sudo apt install git apt-transport-https ca-certificates curl software-properties-common python3-pip python3-docker virtualenv python3-setuptools gnupg2 pass net-tools
This installs following
- git (source control to download ethereum2-docker-compose)
- python3 + tooling
- various other tooling
Docker & Docker-compose
Next, docker & docker-compose will be installed and we need both to run ethereum2-docker-compose
- docker: open source containerization platform
- docker-compose: defining and running multi-container docker applications
Run the following commands to install the necessary packages (some of them will be downloaded from the docker repository rather than Ubuntu’s main repositories)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update && sudo apt install docker-ce docker-compose
Last but not least, your user needs the privilege to run docker (replace <your-username> with your regular user name)
sudo usermod -aG docker <your-username>
Verify install
After successful installation let’s try to get the version of docker by following command
sudo docker version
and you should see something like this
That’s all! We’ve just finished the installation of necessary packages which will be utilized to run ethereum2-docker-compose
Step 2 – Prepare Validator
Firstly we need to sign up validator account(s) to run validator(s) on the Ethereum 2.0 Pyrmont testnet
To sign up we will go through following steps:
- Get goerli Ether (ETH) for testnet
- Generate the validator key(s)
- Stock the validator account(s)
- Check validator’s status
2.1 Get goerli Ether (ETH)
Open your favorite browser, in this guide we will use “Google Chrome” and navigate to “More tools -> Extensions” then click “Chrome Web Store“
Search “Metamask” in search bar and click on it
on the next window click on “Add to Chrome” then “Add Extension”. It will take few seconds
Now metamask extension is intalled on your browser. Next click on “Metamask” icon then “Get started” to sign up
Choose “Create a Wallet” option since we want to create a new wallet for Göerli Ethereum (ETH).
Obviously you can choose “Import wallet” option to import existing wallet using 12 word seed phrase
You will be asked to create password. Put your metamask wallet password and click on “Create”. On the next window read “Tips” before you save “Secret backup phrase” then click “Next”
Next window you have to put your backup phrase to to make sure it is saved correctly.
If you did everything right then you should see “Congratulations”!
Congratulation:)! Your Metamask wallet is now on your web browser and it is ready to use!
Afterwards log in to your wallet and using the drop-down at the top, select the “Goerli Test Network”
Then click on “Account” to copy your “Göerli Test Network” wallet address
You can get Göerli ETH from the #request-goerli-eth channel on the ethstaker Discord using your wallet address: !goerliEth <your-wallet-address>
32 ETH + gas fee deposit is required for each validator. Every 6 hours you can get 32 ETH from #request-goerli-eth channel on the ethstaker Discord
2.2 Generate validator keys
The validator client supports multiple validator keys. Each validator key is basically a “validator account” on the Pyrmont testnet. We will generate the validator keys using Eth2 launch pad for pyrmont testnet. Go here and click “GET STARTED”
go through the warning steps and click “continue” bottom of the page
on the next page select “Geth”, we will use geth as Eth1 client and click “Continue”
select “Prysm”, we will use prysm as Eth2 client and click “Continue”
next put your validator number and choose your OS on which the validator(s) key will be generated. In this guide we will use Windows as OS and number of validator is 2
then select “Download CLI app” and click “Download from Github”
In the assets section download “Latest release” of the deposit CLI app for windows eth2deposit-cli-ed5a6d3-windows-amd64.zip
Extract the eth2deposit-cli-ed5a6d3-windows-amd64.zip where you want and navigate to deposit.exe then copy the path of deposit.exe
Open windows command prompt (cmd) to execute deposit.exe. Navigate to deposit.exe using windows command prompt like shown below
Then execute following command to generate validator key(s). The --num-validator is the number of validator(s) you want to generate
Choose mnemonic language and type your chosen language. In this guide English is chosen as mnemonic language then press <Enter>
Type validator keystore(s) password and repeat it then press <Enter>
After that you will see like this
Write it down and save it. Next you have to type your mnemonic to confirm that you’ve written it down, then press <Enter>
After you’ve written mnemonic correctly, you should see something like this
The newly created validator keys and deposit data file are at the specified location. See above!
The deposit_data-123….json file contains the public keys for the validators and information about the deposit. This file will be used to complete the deposit process in the next step.
The keystore-m_123...json files contain the encrypted signing key. There is one keystore-m per validator. These will be used to create the client validator wallet
go back to the web browser, scroll down to bottom of the page then click “Continue”
Since the validator keystore(s) are generated on the windows machine, we have to transfer them into ubuntu server.
From the windows machine, right-click on the network connections icon in the right bottom of the taskbar
Choose “Open Network & Internet settings”
Next choose “Sharing options”
Now from your current network profile, choose the following options then press “Save changes”
Open your file explorer and go to the validator key(s) directory then right-click on the folder and select “Properties”
After openning the folder properties, let’s choose the “Sharing” tab and select “Advanced Sharing”
Mark “Share this folder” then press “Apply” and press “OK” to continue
Open windows command prompt and execute following
Only keystore-m_123...json files needed to be transferred to the server, not a deposit_data-123….json file. Now your validator keystores are on the server and they will be imported in next step
2.3 Stock the validator account(s)
This step involves depositing the required amount of Göerli ETH to the Pyrmont testnet staking contract.
You will be asked to upload the deposit_data-123….json which is generated previously. Browse or drag the file and click “Continue”
Choose Metamask, since we use it for this guide then click “Continue”. Obviously you can use another wallet if you already have
Your MetaMask balance will be displayed. The site will allow you to continue if you have sufficient Goerli ETH balance
A summary shows the number of validators and total amount of Goerli ETH required. Check the warnings if you agree then click “Continue”
Click on “Initiate all Transactions”
This will pop open multiple instances of MetaMask, each with a 32 Göerli ETH transaction request to the Pyrmont testnet deposit contract. Click “Confirm” for each transaction.
After click on “Confirm” for each transaction you should get status “Transaction Successful” then click “Continue”
You will get complete check list, go through this list, make sure you’ve done everything correct!
Done! We’ve prepared validator(s)!
2.4 Check validator’s status
Newly added validators can take a while (hours to days) to activate. You can check the status of your keys here. Put your Goerli Test Network wallet address in search bar then your keys will be shown as below
Step 3 – Prepare ethereum2-docker-compose
3.1 Clone repository
The next steps will guide you to install ethereum2-docker-compose in /opt. If you don’t feel comfortable with the path feel free to replace it with any path you might deem more appropriate.
Change directory by running
cd /opt
That was easy, right? Now a bit more heavy stuff
- download (in git terms “clone”) the repository
- change ownership of repository, replace
<your-user>with your regular username - give execution permission to scripts
sudo git clone https://github.com/stereum-dev/ethereum2-docker-compose.git sudo chown -R <your-user>:<your-user> ethereum2-docker-compose
3.2 Setup prysm-only docker-compose
Go to your new Ethereum 2 node and have a look
cd /opt/ethereum2-docker-compose ll
You see a couple of files and directories:
| Directory/file | Description |
|---|---|
compose-examples | Collection of pre-defined docker-compose.yaml and docker-compose.override.yaml files |
config | Config files for all services defined in docker-compose |
data | Persistant data of containers |
launchpad | If you want to import a launchpad wallet, drop your launchpad validator_keys here |
wallets | Sensitive data! This contains the wallets with the accounts for staking |
.env | Settings for running docker-compose files (e. g. versions of docker images) |
edc-* | Small scripts to manage docker-compose |
Minimal Setup (beacon & validator only)
In case you want to run only beacon & validator (geth, slasher, prometheus, grafana get disabled) move the ./compose-examples/prysm-only/override-examples/docker-compose.beacon-validator.override.yaml file in the same folder as your docker-compose.yaml and rename it to docker-compose.override.yaml. Read up on docker-compose files & override to customize your setup further.
Configure your node (optional)
Configuration files are located in the folder ./config. To gain a better connectivity for your beacon node you should specify your public ip and/or your dns name in ./config/prysm/beacon.yaml. Follow the guide Improve Peer-to-Peer Connectivity.
Validator accounts with launchpad
The necessary directories need to be created. Please create the directories ./data/prysm/validator/wallets.
Then put your wallet password in ./data/prysm/validator/passwords/wallet-password using following command
nano ./data/prysm/validator/passwords/wallet-password
Replace your wallet password here: <my-wallet-password>
Wallet password will be utilized to import your validator account(s). Exit and save the file <Ctrl+X>
After that copy the related files ./compose-examples/prysm-only/docker-compose.yaml and compose-examples/prysm-only/create-account.yam to the project’s root directory ~/ethereum2-docker-compose using following command
cp compose-examples/prysm-only/docker-compose.yaml docker-compose.yaml cp compose-examples/prysm-only/create-account.yaml create-account.yaml
We going to run prysm-only from project’s root directory. The docker-compose.yaml contains the service definitions with networking, storage, etc. while create-account.yaml contains configuration to import validator accounts into beacon node.
Next copy your generated validator keystore(s) from previous step ~/keystore-m_123...json to ./launchpad/eth2.0-deposit-cli/validator_keys. The validators will be imported from there./launchpad/eth2.0-deposit-cli/validator_keys. Use following commands to create ./launchpad/eth2.0-deposit-cli/validator_keys directory
cd /opt/ethereum2-docker-compose sudo mkdir -p ./launchpad/eth2.0-deposit-cli/validator_keys
A. Go back to the home directory where your validator keystore(s) files are stored from previous step then copy keystore-m_123...json files into ./launchpad/eth2.0-deposit-cli/validator_keys directory.
cd ~
sudo cp keystore-m_123...json ./launchpad/eth2.0-deposit-cli/validator_keys
B. The last thing we have to do before running ethereum2-docker-compose is execute following command to import your validator accounts
docker-compose -f create-account.yaml run validator-import-launchpad
You will be asked to accept terms and conditions, read it here then type “accept” to continue importing validators
and put the same password as in the generation of the validator(s) (see above step 2.2)
You can repeat step A & B as often as you like, make sure to restart your validator to make it notice your new accounts!
That’s all! The validators are imported into beacon node. Now we are ready to run ethereum2-docker-compose and staking ether.
Let’s go to the last step & run it as STAKER!
Step 4 – Run ethereum2-docker-compose and staking ether
Start it up
Run with (as deamon with “-d”)
docker-compose up -dor run only certain services (in this case only beacon and validator)
docker-compose up -d beacon validatorStop it
Stop services (or everything) like this
docker-compose stop validator slasherShut it down for good
Shut down your services (or everything) like this
docker-compose downPlease note: This will also erase your logs, they are stored with your containers and will be deleted as well
Logging
Docker takes care of log files and log file rotation as well as limit (set to 10x100mb log files for each service). View logs of a certain service
At first geth needs to catch up, this might take a while. You can check on geth with
docker-compose logs --tail=100 geth
You can do the same with all other services to check how it’s going
docker-compose logs --tail=100 beacon docker-compose logs --tail=100 validator docker-compose logs --tail=100 prometheus docker-compose logs --tail=100 slasher docker-compose logs --tail=100 grafana
For a complete list and a status of services run
docker-compose ps
Monitoring
Prometheus
Prometheus is running on port 3000 and only accessible via localhost. Therefore SSH tunnel need to be opened, following SSH command will open necessary port for Prometheus
ssh -L 9090:localhost:9090 <user>@<your-server-ip-or-dns>
or if you are using Putty then it should looks like this
To access prometheus, open your favorite web browser and visit http://localhost:9090. You can type or choose some “Expression” then click on <Execute> button to get response! Use “Graph” tab to get response with illustrations
Grafana
Do you want to see some basic metrics? No problem! Grafana is running on port 3000 but only accessible via localhost too. This means you need to open a SSH tunnel. When working with ssh command use following
ssh -L 3000:localhost:3000 <user>@<your-server-ip-or-dns>
For putty, use this setting and click on “Add”, then start your session normally (don’t forget to save)
Now open a browser and access http://localhost:3000 and use “admin” for username and password. You might want to enter a new more secure password after this, then click on the left menu on “Dashboard” -> “Manage” and click on an existing dashboard
Often times grafana doesn’t start due to permission issues, we’ll resolve this by using your user to run the grafana container. First, find out your user id:
id -u
Remember or write down this number and edit the docker-compose.yaml:
nano docker-compose.yaml
Now edit the service “grafana” and add “user: …” to it, so it looks something like this (replace “<your-user-id>” with the number you got above):
Prysm Web Interface
In order to utilize “Prysm Web Interface” you also need to open a SSH tunnel, as following SSH command
ssh -L 7500:localhost:7500 <user>@<your-server-ip-or-dns> ssh -L 3500:localhost:3500 <user>@<your-server-ip-or-dns>
Or for putty, use this setting and click on add, then start your session normally (don’t forget to save)
Next open your favorite web browser and visit http://localhost:7500 then put your “Prysm Web Interface” password to log in
If it’s first time then choose “Imported Wallet“ option to import your validator keystore_m...json file generated from the eth2.0-deposit-cli in “step 2.2”. Then follow the steps and set your STRONG! enough “Prysm Web Interface” password (Note: Web interface password is different from wallet password also validator key’s password).
That’s all! Now you can monitor your beacon node, validator logs and more…
Thanks for using ethereum2-docker-compose!
Enjoy staking!